Name's Jason Thibeault. I'm an IT guy, skeptic, feminist, gamer and atheist, and love OSS, science of all stripes (especially space-related stuff), and debating on-line and off. I enjoy a good bit of whargarbl now and again, and will occasionally even seek it out. I am also apparently responsible for the death of common sense on the internet. My bad.

Subscribe to Blog via Email

EVENTS

Much ado about cyber-nothing

I’ve been drowned in the world of tech over this holiday season. It is, after all, my lifeblood, as well as my hobby — it’s how I pay the bills and help keep this family afloat. So time has been in short supply for anything but work, and I’ve been choosing (as I mentioned recently) to spend most of my free time either playing Starbound (an absolutely incredible space sandbox game that’s still in pre-release — I’m going to write up a review ASAP), or working on learning Java and creating a procedurally generated platform game that will probably never see market because I suck at art.

Pictured: wanted cyber-criminal “The Hamburgler”

Being drowned in tech as I am, the things I’ve been reading are mostly technology-related as of late. That doesn’t mean I’ve stopped being a skeptic or atheist — just that they haven’t been topics on my must-read list.

This particular piece in All Tech Considered made my skeptical and security-minded tech parts of my brain flip the hell out, and I figured I should share that feeling with you. The piece starts appropriately doomsday, extrapolating from the actual information at hand in a manner that makes me think the piece was written by a very experienced science journalist:

If your computer is infected with a virus or other forms of malware, disconnecting the machine from the Internet is one of the first steps security experts say you should take. But someday, even physically separating your laptop from a network may not be enough to protect it from cyber evildoers.

Yes, and someday, Skynet may happen. Someday, computer viruses may cross the computer-human barrier. Someday, computers may be using you as a PDA.

The piece describes the common security procedure of creating an air-gap between your computer and the internet — that is, if you have important secure files, you never let those files exist on a computer that has any visibility on the internet. You wouldn’t want the software running your traffic lights to be internet-aware, would you? So you keep them the hell separate, thus “air-gap”.

But researchers have figured out a way to pass information at ultrasonic frequencies using a computer’s speakers and another computer’s microphone, breaching that gap between networked computers by creating a secondary channel through which info can pass.

The main reason I think this story is bullshit is that any such exploit is defeated by the simple expedient of removing your super-secure computer’s sound card, speakers and microphone.

If it can’t make or receive noise, it can’t send anything over the ultrasonic frequency range. Additionally, no part of the computer is designed to listen to your microphone by default under normal circumstances, much less execute code from it — though if there was such a program on your computer designed to listen at all times, it might be exploited via buffer overflows or the likes if it was poorly (or maliciously) designed. And if sound can travel loudly enough that your microphone on your computer can pick it up, then you have a malicious user right there in your datacentre to begin with, and you better damn well look at your physical security first.

The main technological problem with this story is that the plausibility of it depends entirely on software being installed on your computer that means your computer is already compromised. If you have this software on your computer, if such software even exists, then YOU WERE ALREADY HACKED.

And yet, like with stories about exploits being used to smuggle weapons and bombs onto airplanes, even the attempt will result in a ratcheting-up of security theatre. I anxiously await the time that my bosses ask me to remove the sound cards from all our servers, even though a basic sound card is installed on most motherboards by default now, and I’ve only ever seen a set of speakers attached to a server on exactly one occasion — on call-recording software. It didn’t have a microphone to receive the instructions, though. And all such a microphone would pick up is the airplane-decibel “quiet drone” of the servers on that rack.

I call bullshit on the whole “advanced persistent threat” narrative presented in this piece in specific, and the ongoing race to find new bugaboos to be afraid of in the computer world in general. Instead of starting at ghosts invented by cross-classed computer techs – slash – horror story authors, these journalists should be focusing on the real threats. Threats like corporations storing your credit card PINs in a way that they can be stolen by hackers that just need to brute-force one 3DES key at an effective bit-strength of 80 bits to open a treasure-trove of credit card data.

Yeah, this pretty much couldn’t be any less plausible. Just a few objections off the top of my head…
For one thing, a set of off-the-shelf PC speakers are just not up to the task of delivering supersonic information–they’re generally designed to reproduce midrange to presence frequencies (say, between 100Hz-16kHz or so, broadly conjecturing–different models will perform differently, but very low and very high frequencies are nearly always poorly represented on consumer grade equipment); plus, supersonic information would alias well into the audible range, thereby ruining the integrity of the signal (not to mention it would then be easy to hear and definitely irritating enough to want to stop), and/or be wicked away by the reconstruction filter in the computer’s digital-to-audio converter. You’d need specialized hardware AND software on the transmitting side before that aspect of it could begin to be taken seriously, and at that point software security is no longer really the issue at hand. And that’s before the signal even hits the air.
Furthermore, an onboard computer mic wouldn’t cut it on the receiving end–it may or may not capture those frequencies (that bit is fairly plausible), but the signal would find itself on the business end of the converter’s antialiasing filter–thus again necessitating specialized hardware. Additionally, even granting all that, the receiving computer (which you rightly point out would have to already be seriously compromised) would require some extremely (actually kind of implausibly) sophisticated software to make sense of the incoming signal; it would pretty much have to be a pulse code modulation signal, which is very robust and also trivial to convert to digital information, but there are some serious problems inherent in broadcasting it acoustically–first, the phase shifting and comb filtering effects of broadcasting in a confined space filled with stuff would probably ruin the signal; secondly, the reverberant characteristics of the room, especially the early reflections, would totally fuck it up; thirdly, high frequencies are easily absorbed, and frankly, any plot that can be foiled by hanging duvetine is not exactly a winner.

If your computer is infected with a virus or other forms of malware, disconnecting the machine from the Internet is one of the first steps security experts say you should take.

Who says that? It’s far from that simple. First off – how did the malware get detected? Often, by its traces on the network. Disconnect the network and you’ve just removed it from command/control and if the malware is written to scramble the system in a certain number of days with no update, you’ve just started the timer.

I know Dragos and he’s a smart fellow and far from a member of the tinfoil hat brigade. On the other hand, I think he’s barking up the wrong tree with this one. He’s closely plugged in with the hacker/”vulnerability researcher” community and those people are primary targets of the intelligence community’s efforts against “cyber terrorists”* – you don’t need to conjure a complicated scenario with super duper malware as an explanation when a couple of black bag jobs from the FBI or British Columbia’s equivalent will do. Those guys are not at all above breaking and entering into someone’s residence or place of business or computer or laptop.

(* Bullshit, of course. Now that we know NSA and others are weaponizing malware, we can infer more accurately that they are concerned with tracking hackers and vulnerabilities because they want them or want to get into the pants of the people who are developing them)

Last time I checked up on the evolving story of Dragos’ malware, it seemed that what was freaking him out was he detected something, re-imaged his system, and it was rapidly re-infected. Then he started hypothesizing all kinds of crazy ways that the re-infection could have occurred. To me the most plausible scenario is an agent shows up at the superintendent’s office with a classified warrant and says “give me the key to room 11B” and goes upstairs, puts a USB stick in the computer, and reboots it then leaves.

though if there was such a program on your computer designed to listen at all times, it might be exploited via buffer overflows or the likes if it was poorly (or maliciously) designed.

Like, say, the Xbox One? Granted, I have no idea why you’d be storing important info on one, but as we trend towards new input techniques (including an increasing use of voice command, even when it’s still mostly very broken), the idea of most computers (especially smartphones) existing in an always-listening state is not at all far-fetched. Still, it just doesn’t seem USEFUL, as Jason points out here:

And if sound can travel loudly enough that your microphone on your computer can pick it up, then you have a malicious user right there in your datacentre to begin with, and you better damn well look at your physical security first.

And here:

The main technological problem with this story is that the plausibility of it depends entirely on software being installed on your computer that means your computer is already compromised. If you have this software on your computer, if such software even exists, then YOU WERE ALREADY HACKED.

On the other hand, maybe there’s some malware built into the hardware that keeps infecting the system. Audio-based cracking may not be feasible or useful at the moment, but it’s worth exploring as an idea in the event some clever spies ever DO come up with ways around the limitations, no? I think this is especially true with the continuing push for implementation of audio command interfaces. Play a coded audio sequence at someone’s Google Glass (not a disconnected computer to be sure, but relevant to audio data/command transfer) to activate that back door you got Google to insert into the OS, and you see everything the user does.

This brings back memories of stories I remember from the 1970’s. Back then, the phones were analog, and phone hackers could make free phone calls by generating a 2600 Hz tone to simulate the interrupt tone phone service guys used.

I know you’re kidding (or really, really ignorant) but that was sooo 1980s. Nowadays it’s your HDMI cable that’s the critical conduit. The whole system needs to be on isolated power in a faraday cage and even then you’ll get owned when you connect it to anything. Besides, depending on the manufacturer, they are already in the BIOS, which gives them complete access to the bus at interrupt priority. As Pvt Hudson says, “game over, man!”

Having your BIOS infected by someone with a USB key and physical access to your computer? SAY IT AIN’T SO.

Having someone actually, practically, decrypt from low-frequency audio the actual key from a multitasking, multicore computer using a phone or directional microphone MIGHT be possible, given how deterministic a computer is, but I would wager that it requires knowing a whole lot more about your target computer’s normal operations that are not necessarily controllable, which requires getting at the system physically, again, meaning, again, you’re already owned. And it’s foiled easily by having the server in a rack that is entirely humming with the vibrations of every other server in the rack. That’s a lot of noise to rip out and ignore as chaff. This isn’t nearly as easy or clean as you might think, Eric.

Why go audio when you can go optic? Since it’s almost as likely that a given computer will have some sort of webcam connected these days as having a microphone, just have some segment of the other computer’s screen flicker to transmit the data to the receiving computer. Heck, if we’re going full Mission Impossible, just modulate the power to the lights in the room and use the resultant fluctuation to pass on the information; even less need for line-of-sight at that point. Sure, it still requires initial access to the computer to “update” it, but fiddly little details like that are for others to figure out…

Now back to writing my who-dunnit where I leave it up to the reader to figure out who diddit, how, and why.